Mozilla Considers Blacklisting Java

| by Alex Blewitt Follow 4 Followers on Oct 03, 2011. Estimated reading time: 1 minute |

A note to our readers: You asked so we have developed a set of features that allow you to reduce the noise: you can get email and web notifications for topics you are interested in. Learn more about our new features.

The Mozilla Foundation has publicly considered disabling Java from running in the browser environment, thanks to recent research that indicates Java is the top of the three vectors for security exploits in the browser. Recent research investigating how Windows machines can easily be compromised puts Java at the top of the list, with unpatched Java Runtime Environment flaws accounting for 37% of the vulnerabilities, followed closely by Adobe Reader at 32% and Adobe Flash at 16%.

Whilst developers often keep up to date with the latest versions of the developer kits, browsers often do not update the Java Runtime environments, typically because it is a hidden component that people often forget about. Although all browsers can selectively disable Java support, it is often added automatically if a JRE is discovered on the system.

Whilst Java owes its ubiquitousness to the fact it was once shipped with the Mozilla browser, bringing Applets to the masses, these days Java is rarely used on the client side. That's not to say it isn't used: some runtime environments use Java as a means of communication – such as Facebook Chat – although the upcoming WebSockets protocol is likely to usurp even this usage.

However, the existence of Java on the client has been brought into the forefront recently, with the existence of the BEAST (Browser Exploit Against SSL/TLS) cracking technique. This has led to a suggestion on the bug list to blacklist the Java plugin due to security vulnerabilities caused by the plugin itself.

Although the BEAST attack is only effective against TLS 1.0 (the TLS version 1.1 is immune to the attack, but not widely deployed), some of the initial packet sniffing may be achieved with a compromised JRE hosted in the browser itself.

InfoQ reached Oracle for comment but has not yet received a response. No decision has been made on blacklisting the Mozilla Java plugin.

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread


Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you